| 1 |
Am 17.01.2012 03:22, schrieb Dale: |
| 2 |
> Howdy, |
| 3 |
> |
| 4 |
> It was on the news that some company got hacked into that was related to |
| 5 |
> Amazon. They said Amazon users should change their password just as a |
| 6 |
> precaution. I have a questions tho. I use some pretty good passwords |
| 7 |
> for the things that matter, sites such as my bank, credit card, ebay, |
| 8 |
> paypal, newegg and others that may store things such as my credit card |
| 9 |
> numbers. Here is a example but not a close match to a typical password: |
| 10 |
> |
| 11 |
> $cb78862A! |
| 12 |
> |
| 13 |
> According to those password strength websites, that is a great |
| 14 |
> password. Fairly long and lots of assorted characters and impossible to |
| 15 |
> guess since it contains no personal info such as birthdays or pets. |
| 16 |
> This is fairly typical for sites that matter. I may use something |
| 17 |
> simple for sites such as forums or something tho. |
| 18 |
> |
| 19 |
> My question. If I have a really good password and someone gets hacked, |
| 20 |
> should I change the password if the passwords are still safe? In other |
| 21 |
> words, they got some data such as email addys but the passwords and |
| 22 |
> credit cards are still secure. Should a person change it anyway? |
| 23 |
> |
| 24 |
> One reason I ask this. I remember my passwords well. If I go to |
| 25 |
> changing them every time someone gets hacked, I'll never be able to keep |
| 26 |
> up with them again. I use Lastpass to remember them but it could stop |
| 27 |
> working because of a upgrade or something. Then again, I could use its |
| 28 |
> autogenerate thing and just HOPE for the best on upgrades. |
| 29 |
> |
| 30 |
> Thoughts? What do you guys, and our gal, do in situations like this? |
| 31 |
> |
| 32 |
> Dale |
| 33 |
> |
| 34 |
> :-) :-) |
| 35 |
> |
| 36 |
|
| 37 |
Well, "it depends" is the only answer I can really give. There are |
| 38 |
basically 4 scenarios which might have occurred: |
| 39 |
|
| 40 |
1. Plaintext passwords were stolen. Then you should definitely change |
| 41 |
your pw. I doubt amazon is stupid enough to store passwords as |
| 42 |
plaintext, though. |
| 43 |
|
| 44 |
2. Relatively weak password hashes were stolen, for example MD5 or sha1 |
| 45 |
with no salt. With modern PCs, it isn't too hard to brute-force against |
| 46 |
such, even without rainbow-tables. Then you should change your password |
| 47 |
but you might get lucky and don't need to. |
| 48 |
|
| 49 |
3. Strong password hashes were used (something slow with a lot of salt, |
| 50 |
possibly without storing the salt so it has to be guessed as well). Then |
| 51 |
you don't need to change your password. |
| 52 |
|
| 53 |
4. Something else was done. For example known-plaintext or |
| 54 |
man-in-the-middle attacks against users. Then, well, it depends again ;) |
| 55 |
|
| 56 |
Concerning how I'd handle it: I use app-admin/keepassx with a master |
| 57 |
password. I'd just change the random amazon password as I've not |
| 58 |
memorized it. |
| 59 |
|
| 60 |
Obligatory xkcd reference: http://xkcd.com/936/ |
| 61 |
(I've checked the math, he is right.) |
| 62 |
|
| 63 |
Regards, |
| 64 |
Florian Philipp |
Archives